On Mon, Apr 19, 2004 at 09:32:47AM -0700, Matt Zimmerman wrote: > On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote: > > > On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > > > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > > > control sequences may be contained in the data. > > > > I've read this [1]analysis by by H D Moore. No matter how convenient > > the escape sequences that allow injecting of arbitrary data as-if typed > > by the user might be, they should go, and they should go now. > > Yes, I agree. Patches and bug reports, where appropriate, are welcome. > These are the real bugs, not Apache's. Come on, Matt: Virtually all terminal emulators are vulnerable, and the vulnerability is a common knowledge. The abovementioned paper was on Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do something about it themselves (filing RC bugs at least)? Jan. -- Q: To prece nejde nekoho zastrelit jen tak. Kazdy ma sva nezadatelna lidska prava, i ten zlocinec. Bylo fakt nutne strilet? A: To urcite nebylo. Mohli ho chytit a ukopat.
Attachment:
pgpppPZKtPW9x.pgp
Description: PGP signature